Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant
Tags
attack-pattern: Data Model Domain Fronting - T1090.004 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Tool - T1588.002 Domain Fronting - T1172 Powershell - T1086 Scripting - T1064 Windows Management Instrumentation - T1047 Scripting
Show in Graph
Common Information
Type Value
UUID 4fc46eba-ffd7-42d1-82b6-fac48c4bac61
Fingerprint 64cdb41056336ff0
Analysis status DONE
Considered CTI value 1
Text language
Published April 3, 2017, midnight
Added to db Nov. 6, 2023, 7:09 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)
Title Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant
Detected Hints/Tags/Attributes 54/1/3
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
Details Source https://www.mandiant.com/resources/blog/dissecting-one-ofap
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details File 240 
wmic.exe
Details File 50 
urlmon.dll
Details Threat Actor Identifier - APT 665 
APT29